Network and computer security researchers use honeypots as a means to gather information about different types of attacks and attackers. The idea of a honeypot is to set up a computer system or network that appears to be vulnerable to certain types of attacks in order to attract attackers to exploit it. However, when the honeypot is attacked, the data from the attack can be collected and analyzed.
Attackers know about honeypots and try to avoid them. From the attacker's point of view, honeypots are a waste of resources that might give security researchers clues about their attack methods. It is therefore in their best interest to avoid honeypots and not interact with them. In turn, security researchers attempt to hide the fact that they are running a honeypot by using technological means to create a back story that provides context to make the honeypot appear more real. For example, if a security researcher is running a web-based honeypot, they might create an authentic looking website in order to trick the attacker into believing that it is legitimate. To that end, they might also register domain names in an attempt to provide context for the honeypot. Creating a honeypot that appears real, with a detailed context, is difficult to accomplish. Typically, with a few web searches, an advanced attacker can quickly determine if the back story and the context are real or whether they are being tricked. Upon determining that the site (i.e., the honeypot) is a hoax, the potential attacker will typically ignore it and move on.
Advanced attackers also seek out and target specific organizations to exploit. The location of the honeypot on the Internet can serve as an indicator to an attacker. For example, a security research team might want to set up a honeypot to simulate being a petroleum fuel pump station. An advanced attacker would likely expect this fuel pump station to be located in a network belonging to a petroleum company. If the attacker discovers that the fuel pump station simulated by the honeypot is connected to the Internet via a residential connection, they will likely believe it to be a hoax (i.e. identify it as a honeypot) and ignore it. Additional examples include advanced attackers understanding that medical equipment is more likely to be seen within a hospital computer network, or that air traffic control systems are more likely to be seen in an airport network environment. If the attacker discovers that these systems reside in places other than where they expected them to, in other words—if the context of the honeypot is not accurate enough—they will likely ignore that honeypot and move on to other networks.
As such, it is difficult to create an authentic context to a honeypot if the system is not located where an attacker would expect it to be. Nonetheless, capturing information gathered by honeypots is extremely important in understanding the tools and strategies attackers use to target and exploit specific networks. In other words, security researchers want attackers to believe that the honeypots are real in order to capture critical information in understanding the attack mechanisms and technologies used by advanced attackers.
One solution to provide context is to place the honeypot within an actual working environment. In this way, the context and the back story for the honeypot are already there and are accurate. For example, it might be possible to get permission to place a honeypot within the petroleum company's network. However, this solution is often impossible to execute because there is an inherent risk to the company hosting the honeypot in that it can leave itself vulnerable to the attacker, given the possibility that the attacker might have inadvertent access to the company's network should they escape or otherwise exploit the honeypot. More specifically, as with all technology, running a honeypot is not without its own risks. There is a possibility that the honeypot might be exploited in such a way that it can be used as an attack platform on the targeted company if it is placed within their network. Not surprisingly, it is common for organizations to refuse to place honeypots within their network.
Another problem introduced by the use of traditional honeypots is the poor or insufficient quality of the data collected. Attacks on the Internet are very common and it is typical for an organization to be probed and scanned hundreds, if not thousands, of times per day. However, most of the scans are initiated by unsophisticated attackers who are scanning the Internet for low-hanging fruit (i.e., easy targets to attack and exploit). Typically, these unsophisticated attackers use the following methodology: 1.) they find an exploit for a vulnerability in the software running on specific servers; 2.) they write or purchase a program to scan the Internet looking for those specific servers running the vulnerable software for which they have the exploit; and 3.) if they identify servers found to be vulnerable, they run the exploit in order to infect or access them. This type of attacker does not target any specific organization, nor do they care if they are detected. Because they are indiscriminate in selecting targets, they will typically also inadvertently attack honeypots. Security researchers can then detect, collect, and analyze the attack data provided from these honeypots. However, these data are not particularly useful or informative because the tools and methods used by unsophisticated attackers are likely well-known and well-researched already.
Much less information is available on the attacks used by advanced attackers. These types of attackers typically do not use the same approach as less sophisticated attackers because they do not want to advertise the tools and methods that they use. These types of attackers will target specific networks and might use previously unpublished techniques and methods, which they wish to keep secret. To date, generic honeypots do not provide the proper context to attract advanced attackers as they are too easily detected.